foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-12 06:19:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

services/archivebox: harden services

Browse Source
This commit is contained in:
Gabriel Arazas 2023-11-07 20:53:45 +08:00
parent 8b812a34c9
commit ad710cdb9d
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
modules/nixos/services/archivebox.nix
View File

@ -45,8 +45,7 @@ let
lib.nameValuePair lib.nameValuePair
(jobUnitName name) (jobUnitName name)
{ {
description = description = "Archivebox download group '${name}'";
"Archivebox archive group '${name}' for ${cfg.archivePath}";
after = [ "network.target" ]; after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ]; documentation = [ "https://docs.archivebox.io/" ];
preStart = '' preStart = ''
@ -63,15 +62,30 @@ let
LockPersonality = true; LockPersonality = true;
NoNewPrivileges = true; NoNewPrivileges = true;
CapabilityBoundingSet = [ ];
AmbientCapabilities = [ ];
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true; PrivateDevices = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectClock = true; ProtectClock = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
SystemCallFilter = "@system-service"; ProtectProc = "invisible";
ProtectHome = true;
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_LOCAL"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ];
SystemCallErrorNumber = "EPERM"; SystemCallErrorNumber = "EPERM";
StateDirectory = "archivebox"; StateDirectory = "archivebox";
@ -171,19 +185,24 @@ in
(lib.mkIf cfg.webserver.enable { (lib.mkIf cfg.webserver.enable {
systemd.services.archivebox-server = { systemd.services.archivebox-server = {
description = "Archivebox server for ${cfg.archivePath}"; description = "Archivebox web server";
after = [ "network.target" ]; after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ]; documentation = [ "https://docs.archivebox.io/" ];
wantedBy = [ "graphical-session.target" ]; wantedBy = [ "graphical-session.target" ];
serviceConfig = { serviceConfig = {
User = "archivebox"; User = "archivebox";
Group = "archivebox"; Group = "archivebox";
ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${ ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${
toString cfg.webserver.port toString cfg.webserver.port
}"; }";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
Restart = "on-failure"; Restart = "on-failure";
LockPersonality = true; LockPersonality = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
PrivateDevices = true; PrivateDevices = true;
@ -192,7 +211,15 @@ in
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
RestrictAddressFamilies = [
"AF_LOCAL"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ];
SystemCallErrorNumber = "EPERM"; SystemCallErrorNumber = "EPERM";
StateDirectory = "archivebox"; StateDirectory = "archivebox";
}; };